Yesterday, the United States Department of Health and Human Services (HHS) slapped a mental health nonprofit with a $150,000 fine for HIPAA security rule violations. The Alaskan nonprofit failed to follow basic information technology practices, such as updating its software with available patches, using firewalls, and monitoring and identifying threats. Malware entered the nonprofit’s systems, which also used outdated, unsupported software. As a result, the unsecured protected health information of over 2,700 mental health patients was compromised.
In this case, the mental health nonprofit had not conducted a security risk assessment since the 2005 effective date of the HIPAA security rule. As part of the corrective action plan, HHS required the organization to conduct an annual security risk assessment of the potential risks and vulnerabilities of its electronic protected health information systems. Experts consider annual security risk assessments to be a HIPAA security rule best practice. HHS also mandated new security rule policies, general security awareness training, and signed compliance certification forms for all staff.
The federal government’s willingness to fine a five-facility nonprofit that provides care for the uninsured and underinsured does not bode well for larger institutions with greater information technology resources. HHS’s decision also demonstrates that all organizations must review their security rule policies and ensure that they have implemented appropriate safeguards for electronic protected health information. Nonprofits, local governments, and others that rely on outdated systems to maintain patient information must plan to allocate resources for more secure systems. Through HIPAA audits and settlements agreements such as this one, HHS continues to emphasize the need for covered entities to perform accurate and thorough security risk assessments.